D-TRUST 2048 SigG Signing Problem

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

D-TRUST 2048 SigG Signing Problem

Thorsten Engel

Hi all,

 

I have the above card (ATR: 3B F2 18 00 02 C1 0A 31 FE 58 C8 08 74) which contains 2 certs with private keys. One of the certs has a SigG cert which only allows "sign, nonrepudiation", the other cert allows "sign,decrypt". With the second one, the fallback to "decrypt" works nicely and I can sign. But the first one gives me headaches. it tries to sign, but the card always returns with "6982" (Security status not satisfied). I already tried different signature techniques ("stripped raw hash", "RSA_PURE_SIG") by patching the card-cardos.c, but no difference. It doesn't matter if I use openssl, pkcs11-tool, etc.

 

I'm stuck! Can you please help me ;-)

 

 

2011-01-19 20:03:51.959 [opensc-pkcs11] card.c:329:sc_unlock: called

2011-01-19 20:03:51.959 [opensc-pkcs11] card-cardos.c:764:cardos_set_security_env: returning with: 0 (Success)

2011-01-19 20:03:51.959 [opensc-pkcs11] sec.c:70:sc_set_security_env: returning with: 0 (Success)

2011-01-19 20:03:51.959 [opensc-pkcs11] sec.c:52:sc_compute_signature: called

2011-01-19 20:03:51.959 [opensc-pkcs11] card-cardos.c:810:cardos_compute_signature: called

2011-01-19 20:03:51.959 Forcing RAW_HASH

2011-01-19 20:03:51.959 trying RSA_SIG (just the DigestInfo)

2011-01-19 20:03:51.959 trying to sign raw hash value with prefix

2011-01-19 20:03:51.959 [opensc-pkcs11] apdu.c:527:sc_transmit_apdu: called

2011-01-19 20:03:51.959 [opensc-pkcs11] card.c:295:sc_lock: called

2011-01-19 20:03:51.959 reader 'REINER SCT cyberJack pinpad/e-com USB 52'

2011-01-19 20:03:51.960

Outgoing APDU data [  266 bytes] =====================================

00 2A 9E 9A 00 01 01 01 38 00 BC 0A 38 00 DC F3 .*......8...8...

18 00 13 79 D7 73 DC F3 18 00 22 94 D7 73 2A 94 ...y.s...."..s*.

D7 73 60 52 77 68 00 00 00 00 C0 00 00 00 A0 D6 .s`Rwh..........

DA 73 00 00 00 00 A0 D6 DA 73 C0 00 00 00 D8 F3 .s.......s......

18 00 63 94 D7 73 BC 0A 38 00 18 F4 18 00 13 79 ..c..s..8......y

D7 73 03 00 00 00 0A 79 D7 73 A4 55 77 68 36 00 .s.....y.s.Uwh6.

00 00 08 74 DA 73 00 00 00 00 82 0B 00 00 36 00 ...t.s........6.

00 00 E8 F3 18 00 39 62 35 38 70 F4 18 00 DE CB ......9b58p.....

D7 73 FC 75 B6 1B FE FF FF FF 0A 79 D7 73 4A FB .s.u.......y.sJ.

D3 73 E0 5C 41 00 00 00 00 00 00 00 00 00 38 F4 .s.\A.........8.

18 00 2B 2E D3 73 60 81 D5 01 44 F4 18 00 E3 EF ..+..s`...D.....

D3 73 13 00 00 00 80 F4 18 00 F9 FC D3 73 08 74 .s...........s.t

DA 73 F0 FC D3 73 3C 55 77 68 E0 5C 41 00 01 00 .s...s<Uwh.\A...

00 00 00 00 00 00 00 00 00 00 54 F4 18 00 78 FF ..........T...x.

18 00 78 FF 18 00 DE CB D7 73 54 66 B6 1B FE FF ..x......sTf....

FF FF F0 FC D3 73 EC 42 00 10 F9 42 00 10 54 66 .....s.B...B..Tf

B6 1B 1D 00 00 00 EC 4D 01 00                   .......M..

======================================================================

2011-01-19 20:03:51.960 [opensc-pkcs11] reader-pcsc.c:175:pcsc_internal_transmit: called

2011-01-19 20:03:51.999

Incoming APDU data [    2 bytes] =====================================

69 82 i.

======================================================================

2011-01-19 20:03:51.999 [opensc-pkcs11] card.c:329:sc_unlock: called

2011-01-19 20:03:51.999 required access right not granted

2011-01-19 20:03:52.000 [opensc-pkcs11] card-cardos.c:796:do_compute_signature: returning with: -1211 (Security status not satisfied)

2011-01-19 20:03:52.000 Failed to sign raw hash value with prefix when forcing

2011-01-19 20:03:52.000 [opensc-pkcs11] card-cardos.c:864:cardos_compute_signature: returning with: -1300 (Invalid arguments)

2011-01-19 20:03:52.000 [opensc-pkcs11] sec.c:56:sc_compute_signature: returning with: -1300 (Invalid arguments)

2011-01-19 20:03:52.000 [opensc-pkcs11] card.c:329:sc_unlock: called

2011-01-19 20:03:52.000 [opensc-pkcs11] pkcs15-sec.c:371:sc_pkcs15_compute_signature: sc_compute_signature() failed: -1300 (Invalid arguments)

2011-01-19 20:03:52.000 [opensc-pkcs11] card.c:329:sc_unlock: called

2011-01-19 20:03:52.000 [opensc-pkcs11] reader-pcsc.c:540:pcsc_unlock: called

2011-01-19 20:03:52.000 Sign complete. Result -1300.

2011-01-19 20:03:52.000 libopensc return value: -1300 (Invalid arguments)

2011-01-19 20:03:52.000 C_SignFinal() = CKR_ARGUMENTS_BAD

2011-01-19 20:03:52.000 C_Finalize()

 

Thorsten Engel


_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user

smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: D-TRUST 2048 SigG Signing Problem

Peter Koch-5
Hi Torsten,

I have the above card (ATR: 3B F2 18 00 02 C1 0A 31 FE 58 C8 08 74) which contains 2 certs with private keys. One of the certs has a SigG cert which only allows "sign, nonrepudiation", the other cert allows "sign,decrypt". With the second one, the fallback to "decrypt" works nicely and I can sign. But the first one gives me headaches. it tries to sign, but the card always returns with "6982" (Security status not satisfied). I already tried different signature techniques ("stripped raw hash", "RSA_PURE_SIG") by patching the card-cardos.c, but no difference. It doesn't matter if I use openssl, pkcs11-tool, etc.

 

I'm stuck! Can you please help me ;-)


I would like to know

- which OpenSC version you are using
- what kind of D-Trust 2048bit card you are using (Version 2.2c, Version 2.4, etc.)
- what the debug output of a complete signature operation looks like

Peter

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user